oss-sec mailing list archives
PostgreSQL insecure install via yum (multiple problems)
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 19 Aug 2013 18:58:22 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Problem: So I wanted to install PostgreSQL 9.2 to test something. So I google "postgresql 9.2 rpm" and get sent to: http://yum.postgresql.org/repopackages.php which is not available by HTTPS at all. Not ideal but ok, I download it over HTTP because I can check the signature on the file right? Wrong, I can't find the key anywhere. I try pgp.mit.edu, I even google site:postgresql.org 442df0f8 and all you get are archived emails with the warning that the signature can't be checked. No copy of the key. Solution: Can PostgreSQL please setup HTTPS immediately for this site, and also publish the GPG key used to sign their RPMs in a secure manner (e.g. on the HTTPS site)? To replicate: $ wget https://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/pgdg-centos92-9.2-6.noarch.rpm Fails. $ wget https://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/pgdg-centos92-9.2-6.noarch.rpm Gets the file but: $ rpm -K pgdg-centos92-9.2-6.noarch.rpm pgdg-centos92-9.2-6.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#442df0f8) Signing RPM's isn't very useful if you never make the signing key available! - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSEr8uAAoJEBYNRVNeJnmTzLQP/228FfA/y66CgrCrvrvp6xba wTcp7bNC/cS/if5Lbgq+tyg93T/MSDE+KmTjV2M+2O68Ui2QsXem7E6w400E1jJN S25o5lQK5cvE8wHAVk9xtTTdZIOdvRAStcnGOLEV0/FZ7vVevTnfvySj8gA21mcR BQVeZ7qJ2rY41fOOCa29cE9v3g/lrGqV5NoIMDX749IlEz0OQihGGvmxtD+aOwds YhCq8HrJYdnjKuNOQoAvuuTLGwbgGl4Ay6S1i/UAMmMCan57bf1SA6phLxet4BMr arraVYO+n30kVbCyU3sHmSz+nJsOKN3bdy/lhk+0FtbF0yO/1UEi4wqCeb1JQSXA fq0lBXBbe3zGr69yZbh/TwDxKggsJ/FMWX0HmfKuk99vHXFRa2lmhqSA3DJRgvVe ypAyc3I4CovcWNwFmINQFafN8sK/1mjpq7PtsHa6kg2JWQ9M69yEEzFTrVQD7ssx xhaj9IKKLwtnEZSUkf2YnV1lSUrMMzlAMQwcV91hWPp/Ybj/UmJvCMV0Q54g6KVk uyvEEvkKhiEj2ChljXPhCReU2XYbKPD/1wF9CjmD01aR3LBi6SwzSJ1o402H5sTK SXZk9WmOAw2yOA937mjpm1Hy+nwRST3YuGoerQ86h1aYJ2zwOkv86figZ1r9Cldy rl0O7qoGTY3wOAG8csxX =8Hvl -----END PGP SIGNATURE-----
Current thread:
- PostgreSQL insecure install via yum (multiple problems) Kurt Seifried (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Landon Hurley (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Kurt Seifried (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Eric H. Christensen (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Kurt Seifried (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Kevin Fenzi (Aug 19)
- Re: [pgsql-security] Re: [oss-security] PostgreSQL insecure install via yum (multiple problems) Magnus Hagander (Aug 20)
- Re: PostgreSQL insecure install via yum (multiple problems) Daniel Kahn Gillmor (Aug 20)
- Re: PostgreSQL insecure install via yum (multiple problems) Moritz Naumann (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Kurt Seifried (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Landon Hurley (Aug 19)